Index: request_response.txt
===================================================================
--- request_response.txt (revision 4815)
+++ request_response.txt (working copy)
@@ -364,9 +364,9 @@
Returns ``True`` or ``False`` based on a case-insensitive check for a
header with the given name.
-``set_cookie(key, value='', max_age=None, expires=None, path='/', domain=None, secure=None)``
+``set_cookie(key, value='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=None)``
Sets a cookie. The parameters are the same as in the `cookie Morsel`_
- object in the Python standard library.
+ object in the Python standard library, aside from ``httponly``.
* ``max_age`` should be a number of seconds, or ``None`` (default) if
the cookie should last only as long as the client's browser session.
@@ -377,7 +377,11 @@
the domains www.lawrence.com, blogs.lawrence.com and
calendars.lawrence.com. Otherwise, a cookie will only be readable by
the domain that set it.
+ * Use ``httponly`` set to ``True`` to set non-standard HttpOnly Cookie
+ flag to disallow access to this cookie via JavaScript. Not all browsers
+ honor this flag. See the `session docs`_.
+ .. _session docs: ../sessions/
.. _`cookie Morsel`: http://www.python.org/doc/current/lib/morsel-objects.html
``delete_cookie(key, path='/', domain=None)``
Index: sessions.txt
===================================================================
--- sessions.txt (revision 4815)
+++ sessions.txt (working copy)
@@ -288,6 +288,16 @@
(default), then the session data will only be saved if it has been modified --
that is, if any of its dictionary values have been assigned or deleted.
+SESSION_HTTP_ONLY
+-----------------
+
+Default: ``False``
+
+Whether to use the non-standard HttpOnly Cookie flag. Some browsers, notably
+Internet Explorer and upcoming Firefox 3, allow cookies to be sent as HTTP-only.
+These cookies cannot be read using JavaScript, minimizing cross-site scripting
+attacks for user agents that support it.
+
.. _Django settings: ../settings/
Technical details
Index: settings.txt
===================================================================
--- settings.txt (revision 4815)
+++ settings.txt (working copy)
@@ -736,6 +736,13 @@
Whether to save the session data on every request. See the `session docs`_.
+SESSION_HTTP_ONLY
+-----------------
+
+Default: ``False``
+
+Whether to use the non-standard HttOnly Cookie flag. See the `session docs`_.
+
SITE_ID
-------